Bigfix Security Vulnerabilities
Database scanning using username and password stores the credentials in plaintext or encoded format within files at the endpoint. This has been identified as a significant security risk. This will lead to exposure of sensitive information for unauthorized access, potentially leading to severe...
6.5CVSS
7.2AI Score
0.0004EPSS
The NMAP Importer service may expose data store credentials to authorized users of the Windows...
6.6CVSS
7.3AI Score
0.0004EPSS
The HCL BigFix Inventory server is vulnerable to path traversal which enables an attacker to read internal application files from the Inventory server. The BigFix Inventory server does not properly restrict the served static...
5.3CVSS
7.2AI Score
0.0004EPSS
An administrative user of WebReports may perform a Server Side Request Forgery (SSRF) exploit through SMTP configuration...
3.5CVSS
7.5AI Score
0.0004EPSS
The console may experience a service interruption when processing file names with invalid...
3.5CVSS
7.3AI Score
0.0004EPSS
An administrative user of WebReports may perform a Cross Site Scripting (XSS) and/or Man in the Middle (MITM) exploit through SAML...
2CVSS
6.5AI Score
0.0004EPSS
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information. This is not the same vulnerability as identified in...
3CVSS
3.9AI Score
0.0004EPSS
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored...
3CVSS
3.9AI Score
0.0004EPSS
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a form field of a webpage by a user with privileged...
3.3CVSS
6AI Score
0.0004EPSS
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attack to exploit an application parameter during execution of the Save...
6.1CVSS
6.3AI Score
0.001EPSS
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform exists due to missing a specific http header...
5.4CVSS
6AI Score
0.0004EPSS
A reflected cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code in the application session or in database, via remote injection, while rendering content in a web...
6.1CVSS
6.3AI Score
0.001EPSS
HCL BigFix ServiceNow is vulnerable to arbitrary code injection. A malicious authorized attacker could inject arbitrary code and execute within the context of the running...
8.8CVSS
8.2AI Score
0.0005EPSS
Missing or insecure tags in the HCL BigFix Bare OSD Metal Server WebUI version 311.19 or lower could allow an attacker to execute a malicious script on the user's...
9.8CVSS
7.5AI Score
0.001EPSS
HCL BigFix Bare OSD Metal Server WebUI version 311.19 or lower has missing or insecure tags that could allow an attacker to execute a malicious script on the user's...
9.8CVSS
7.5AI Score
0.001EPSS
HCL BigFix Bare OSD Metal Server WebUI version 311.19 or lower can sometimes include sensitive information in a query string which could allow an attacker to execute a malicious...
5.3CVSS
7.2AI Score
0.0005EPSS
Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability identified in BigFix Server version 9.5.12.68, allowing for potential data exfiltration. This XSS vulnerability is in the Gather Status Report, which is served by the BigFix...
6.1CVSS
5.5AI Score
0.0005EPSS
Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. This XSS vulnerability is in the Download Status Report, which is served by the BigFix...
6.1CVSS
5.4AI Score
0.0005EPSS
Due to this vulnerability, the Master operator could potentially incorporate an SVG tag into HTML, leading to an alert pop-up displaying a cookie. To mitigate stored XSS vulnerabilities, a preventive measure involves thoroughly sanitizing and validating all user inputs before they are processed...
4.8CVSS
6.1AI Score
0.0004EPSS
An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP...
8.8CVSS
8.7AI Score
0.007EPSS
BigFix Insights/IVR fixlet uses improper credential handling within certain fixlet content. An attacker can gain access to information that is not explicitly...
5.3CVSS
9.3AI Score
0.0005EPSS
BigFix Insights for Vulnerability Remediation (IVR) uses weak cryptography that can lead to credential exposure. An attacker could gain access to sensitive information, modify data in unexpected ways,...
8.2CVSS
7.4AI Score
0.001EPSS
Certain credentials within the BigFix Patch Management Download Plug-ins are stored insecurely and could be exposed to a local privileged...
4.4CVSS
6.9AI Score
0.0004EPSS
HCL BigFix Mobile is vulnerable to a cross-site scripting attack. An authenticated attacker could inject malicious scripts into the...
5.4CVSS
5.2AI Score
0.0004EPSS
HCL BigFix Mobile is vulnerable to a command injection attack. An authenticated attacker could run arbitrary shell commands on the WebUI...
8.8CVSS
9AI Score
0.0005EPSS
A cross site request forgery vulnerability in the BigFix WebUI Software Distribution interface site version 44 and before allows an NMO attacker to access files on server side systems (server machine and all the ones in its...
6.5CVSS
6.4AI Score
0.001EPSS
7.5CVSS
7.5AI Score
0.001EPSS
URL redirection in Login page in HCL BigFix WebUI allows malicious user to redirect the client browser to an external site via redirect URL response...
6.1CVSS
6.2AI Score
0.0005EPSS
Insufficient validation in Bigfix WebUI API App site version < 14 allows an authenticated WebUI user to issue SQL queries via an unparameterized SQL...
8.8CVSS
8.6AI Score
0.001EPSS
A permission issue in BigFix WebUI Insights site version 14 allows an authenticated, unprivileged operator to access an administrator...
6.5CVSS
6.4AI Score
0.0005EPSS
Host Header Injection vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to supply invalid input to cause the OSD Bare Metal Server to perform a redirect to an attacker-controlled...
6.1CVSS
6.3AI Score
0.0005EPSS
The OSD Bare Metal Server uses a cryptographic algorithm that is no longer considered sufficiently...
7.8CVSS
7.6AI Score
0.0004EPSS
A clickjacking vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to use transparent or opaque layers to trick a user into clicking on a button or link on another page to perform a redirect to an attacker-controlled...
6.1CVSS
6.1AI Score
0.0005EPSS
HCL BigFix Mobile / Modern Client Management Admin and Config UI passwords can be brute-forced. User should be locked out for multiple invalid...
7.5CVSS
7.6AI Score
0.001EPSS
BigFix deployments that have installed the Notification Service on Windows are susceptible to disclosing SMTP BigFix operator's sensitive data in clear text. Operators who use Notification Service related content from BES Support are at risk of leaving their SMTP sensitive data...
7.5CVSS
7.4AI Score
0.001EPSS
BigFix WebUI non-master operators are missing controls that prevent them from being able to modify the relevance of fixlets or to deploy fixlets from the BES Support external...
5.8CVSS
5.7AI Score
0.001EPSS
Insights for Vulnerability Remediation (IVR) is vulnerable to man-in-the-middle attacks that may lead to information disclosure.? This requires privileged network...
5.3CVSS
5AI Score
0.001EPSS
Insights for Vulnerability Remediation (IVR) is vulnerable to improper input validation. This may lead to information disclosure. This requires privileged...
6.5CVSS
6.1AI Score
0.001EPSS
In specific scenarios, on Windows the operator credentials may be encrypted in a manner that is not completely...
7.8CVSS
7.6AI Score
0.0004EPSS
There are insufficient warnings when a Fixlet is imported by a user. The warning message currently assumes the owner of the script is the logged in user, with insufficient warnings when attempting to run the...
6.5CVSS
6.4AI Score
0.001EPSS
BigFix Web Reports authorized users may perform HTML injection for the email administrative configuration...
5.4CVSS
5.7AI Score
0.001EPSS
6.5CVSS
6.5AI Score
0.001EPSS
The Master operator may be able to embed script tag in HTML with alert pop-up display...
4.8CVSS
5AI Score
0.001EPSS
The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device...
5.3CVSS
5.4AI Score
0.001EPSS
User generated PPKG file for Bulk Enroll may have unencrypted sensitive information...
6.5CVSS
6.4AI Score
0.001EPSS
Weak web transport security (Weak TLS): An attacker may be able to decrypt the data using...
7.5CVSS
7.5AI Score
0.002EPSS
The BigFix Console installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability...
7.8CVSS
7.3AI Score
0.0004EPSS
Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag....
6.5CVSS
6.5AI Score
0.002EPSS
The BigFix Server API installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability...
7.8CVSS
7.3AI Score
0.0004EPSS
Misconfigured security-related HTTP headers: Several security-related headers were missing or mis-configured on the web...
9.8CVSS
9.4AI Score
0.002EPSS